POS Malware Abuses Exposed ElasticSearch Nodes for C&C

Two point of sale (POS) malware families have been abusing thousands of publicly accessible ElasticSearch nodes for command and control (C&C) purposes, Kromtech security researchers warn.

Malicious files discovered on the ElasticSearch deployments referenced to the AlinaPOS and JackPOS malware families, which are well known for their wide use in credit card data theft campaigns. Both threats have been designed to scrape credit card data from computer memory.

Both JackPOS and AlinaPOS have been around for several years and have seen numerous variants to date, each employing different techniques to steal credit card data. Already widespread, POS malware is active year-round, but usually shows spikes in activity during the holiday shopping season.

According to Kromtech, Alina is now available for sale online and some of its variants are enjoying low detection rates by popular anti-virus engines (tested with VirusTotal). Even relatively old C&C servers hosting sites can’t be used reliably for detection, they say.

Contributing to this situation was the fact that many ElasticSearch servers aren’t properly configured, thus allowing attackers to abuse them for their nefarious purposes. In this instance, infected servers were used as part of a larger POS botnet purposed for C&C functionality, controlling POS malware clients.

This isn’t the first time ElasticSearch nodes made the news after falling to miscreants. In January this year, after tens of thousands of MongoDB databases were ransacked, hackers turned to ElasticSearch servers, deleted data on them, and demanded various ransom amounts, claiming they can restore the wiped information.

A new wave of ransomware attacks on improperly secured MongoDB deployments was observed a couple of weeks back, prompting the company to implement new security measures. Cybercriminals targeting insecure ElasticSearch servers, however, appear to have had other plans for them.

After performing a Shodan search, Kromtech discovered nearly 4000 infected ElasticSearch servers, most of which (about 99%) are hosted on Amazon.

“Why Amazon? Because on Amazon Web Services you can get a free t2 micro (EC2) instance with up to 10 Gb of disk space. At the same time t2 micro allows to set up only versions ES 1.5.2 and 2.3.2. AWS-hosted ES service gives you a possibility to configure your ES cluster just in few clicks,” the researchers note.

This also means that many of those who configured the servers didn’t pay much attention to the security configuration steps during the quick installation process. Because of that, the servers remained exposed to attackers, and Kromtech discovered that multiple actors hit them, the same as it happened during the ransomware campaign in the beginning of the year.

Because the insecure ElasticSearch servers were infected multiple times, the discovered packages could be traced to different POS botnets. Due to periodic scans, time of infection could differ between servers, even if the same package is involved. The most recent infections occurred at the end of August 2017.

The security researchers also discovered that 52% of infected servers run ElasticSearch version 1.5.2, while 47% run version 2.3.2. The remaining 1% run other software versions.